Compliance & Risk Management – The risks associated with installing a video surveillance system

In this fifth issue of the Compliance & Risk Management Newsletter, professionals from Andersen’s 231/Privacy Service Line have explored the topic of video surveillance in the workplace, highlighting the growing importance of adopting appropriate measures to mitigate the risks associated with the installation of a video surveillance system (CCTV), thereby improving governance.

Video surveillance in the workplace: the distinction between lawful and unlawful use pursuant to Legislative Decree 231/2001

The installation of cameras is lawful only if prior authorisation is obtained from the competent local Labour Inspectorate or if an agreement is entered into with the trade union representatives, as provided for in Article 4 of the Workers’ Statute. Failure to comply with this requirement qualifies the activity as covert monitoring of workers, a crime that gives rise to administrative liability for the entity. Defensive surveillance is an exception, which is only lawful in the event of serious and concrete evidence of wrongdoing.

Therefore, in order to strengthen the company’s position, the MOGC must incorporate specific dedicated protocols: from GDPR-compliant privacy notices to the training of managers and the Supervisory Body, to the detailed mapping of areas under video surveillance.

Video surveillance system and facial recognition: how to make it compliant with the GDPR and the AI ACT

For compliance purposes (in particular, with the GDPR and the AI ACT), the implementation of a video surveillance system with facial recognition necessarily requires a risk-based approach. In addition to defining the purposes for which such a system is to be installed (e.g. security, theft prevention), also considering the prohibitions provided for by the AI ACT, it is necessary to assess the risks to the rights and freedoms of individuals through a Data Protection Impact Assessment (DPIA), adopting systems that enable compliance with the principle of minimisation.

In organisational terms, it is first necessary to establish clear and comprehensible internal procedures and information visible in the areas under video surveillance. Only by integrating legal, technical and organisational aspects is it possible to use facial recognition in a compliant manner, thus reducing the risks to individuals’ rights.

CCTV system and risk assessment: the most relevant risks

The design and installation of a video surveillance system require careful analysis of all associated risks (technical, legal, organisational, security and liability risks) in order to ensure an integrated risk management. Privacy issues should not be underestimated, given that a CCTV system processes images, which are personal data

The impact of the video surveillance system in the workplace must also be carefully considered, with regard to the provisions of Article 4 of the Workers’ Statute, as well as the technical and operational risks due, for example, to network vulnerabilities.

It is therefore necessary to establish and maintain a stable governance structure that provides for procedures or operating instructions to ensure that the system is used in full compliance with current regulations.